asan_test.cc revision d39a34ee33aae73fdde065f784bdc19f67b91ae2
1551ccae044b0ff658fe629dd67edd5ffe75d10e8Reid Spencer//===-- asan_test.cc ------------------------------------------------------===// 27a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell// 3d442d2846a00c0ac2f031deba06b7e0d003f14adEric Christopher// The LLVM Compiler Infrastructure 4d442d2846a00c0ac2f031deba06b7e0d003f14adEric Christopher// 5d442d2846a00c0ac2f031deba06b7e0d003f14adEric Christopher// This file is distributed under the University of Illinois Open Source 691e7ccd98bfa3db5f5c5d2ffa1ffb4061043af40Eric Christopher// License. See LICENSE.TXT for details. 791e7ccd98bfa3db5f5c5d2ffa1ffb4061043af40Eric Christopher// 891e7ccd98bfa3db5f5c5d2ffa1ffb4061043af40Eric Christopher//===----------------------------------------------------------------------===// 946e6bcf3aca5496e51993dff0d3be2c0b45e4a8fEric Christopher// 1046e6bcf3aca5496e51993dff0d3be2c0b45e4a8fEric Christopher// This file is a part of AddressSanitizer, an address sanity checker. 1146e6bcf3aca5496e51993dff0d3be2c0b45e4a8fEric Christopher// 126b241160eddc96ec098c74a041a327d545df6ff7Chandler Carruth//===----------------------------------------------------------------------===// 136b241160eddc96ec098c74a041a327d545df6ff7Chandler Carruth#include "asan_test_utils.h" 146b241160eddc96ec098c74a041a327d545df6ff7Chandler Carruth 157f9ec910a38f769dc91f1b3b3a9b50ee1cecff19Rafael EspindolaNOINLINE void *malloc_fff(size_t size) { 167f9ec910a38f769dc91f1b3b3a9b50ee1cecff19Rafael Espindola void *res = malloc/**/(size); break_optimization(0); return res;} 177f9ec910a38f769dc91f1b3b3a9b50ee1cecff19Rafael EspindolaNOINLINE void *malloc_eee(size_t size) { 187e5c316b05d87a23abff03865d776bfb5634e7cdSebastian Pop void *res = malloc_fff(size); break_optimization(0); return res;} 197e5c316b05d87a23abff03865d776bfb5634e7cdSebastian PopNOINLINE void *malloc_ddd(size_t size) { 207e5c316b05d87a23abff03865d776bfb5634e7cdSebastian Pop void *res = malloc_eee(size); break_optimization(0); return res;} 21c69bdadac9431efc0cfa6832a321e0f51ab4e6cdEric ChristopherNOINLINE void *malloc_ccc(size_t size) { 22c69bdadac9431efc0cfa6832a321e0f51ab4e6cdEric Christopher void *res = malloc_ddd(size); break_optimization(0); return res;} 23c69bdadac9431efc0cfa6832a321e0f51ab4e6cdEric ChristopherNOINLINE void *malloc_bbb(size_t size) { 24af58cae8cb9c0ce64ae6a40990a4ad097c71e0e4Reid Spencer void *res = malloc_ccc(size); break_optimization(0); return res;} 25af58cae8cb9c0ce64ae6a40990a4ad097c71e0e4Reid SpencerNOINLINE void *malloc_aaa(size_t size) { 26af58cae8cb9c0ce64ae6a40990a4ad097c71e0e4Reid Spencer void *res = malloc_bbb(size); break_optimization(0); return res;} 27fc3f0b5c910cd60bb2d7cf6a882fd60e456df723Eric Christopher 28dd464df687faf544e83684d0c0e4da87c05f8bfeDaniel Dunbar#ifndef __APPLE__ 29dd464df687faf544e83684d0c0e4da87c05f8bfeDaniel DunbarNOINLINE void *memalign_fff(size_t alignment, size_t size) { 301aee22e0720932a82dd3bf3fc8be804fff6bb89aRafael Espindola void *res = memalign/**/(alignment, size); break_optimization(0); return res;} 311aee22e0720932a82dd3bf3fc8be804fff6bb89aRafael EspindolaNOINLINE void *memalign_eee(size_t alignment, size_t size) { 321aee22e0720932a82dd3bf3fc8be804fff6bb89aRafael Espindola void *res = memalign_fff(alignment, size); break_optimization(0); return res;} 33e0b0e7b2950d3c132004105bba5f36a8eaea7925Daniel DunbarNOINLINE void *memalign_ddd(size_t alignment, size_t size) { 34e0b0e7b2950d3c132004105bba5f36a8eaea7925Daniel Dunbar void *res = memalign_eee(alignment, size); break_optimization(0); return res;} 35e0b0e7b2950d3c132004105bba5f36a8eaea7925Daniel DunbarNOINLINE void *memalign_ccc(size_t alignment, size_t size) { 368c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer void *res = memalign_ddd(alignment, size); break_optimization(0); return res;} 378c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void *memalign_bbb(size_t alignment, size_t size) { 388c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer void *res = memalign_ccc(alignment, size); break_optimization(0); return res;} 398c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void *memalign_aaa(size_t alignment, size_t size) { 408c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer void *res = memalign_bbb(alignment, size); break_optimization(0); return res;} 418c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#endif // __APPLE__ 428c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 438c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 448c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 458c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 468c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 478c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 488c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 498c8af327b83a210aed30634c908bb4b39f41eedbReid Spencertemplate<typename T> 508c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerNOINLINE void uaf_test(int size, int off) { 518c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char *p = (char *)malloc_aaa(size); 528c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free_aaa(p); 538c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer for (int i = 1; i < 100; i++) 548c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free_aaa(malloc_aaa(i)); 558c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 568c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer (long)sizeof(T), p, off); 570c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke asan_write((T*)(p + off)); 580c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke} 590c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke 608c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 618c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#if defined(__has_feature) && __has_feature(address_sanitizer) 628c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer bool asan = 1; 63f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer#elif defined(__SANITIZE_ADDRESS__) 64f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer bool asan = 1; 65f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer#else 6600ad26ff5760ff2d1b24acb18718e63541088923David Greene bool asan = 0; 6700ad26ff5760ff2d1b24acb18718e63541088923David Greene#endif 6800ad26ff5760ff2d1b24acb18718e63541088923David Greene EXPECT_EQ(true, asan); 698c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 708c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 718c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, SimpleDeathTest) { 72654dee487555a3cf21bcbca38ef5a2687fd18ea7Eric Christopher EXPECT_DEATH(exit(1), ""); 73654dee487555a3cf21bcbca38ef5a2687fd18ea7Eric Christopher} 74654dee487555a3cf21bcbca38ef5a2687fd18ea7Eric Christopher 75d749382c8cc991bc75a384212a898e2396a09837NAKAMURA TakumiTEST(AddressSanitizer, VariousMallocsTest) { 76481d402ab03e163e180d2650fae13704858f8d81Eric Christopher int *a = (int*)malloc(100 * sizeof(int)); 77481d402ab03e163e180d2650fae13704858f8d81Eric Christopher a[50] = 0; 788c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(a); 798c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 808c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int *r = (int*)malloc(10); 81f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger r = (int*)realloc(r, 2000 * sizeof(int)); 82f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger r[1000] = 0; 83f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger free(r); 84f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger 85f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger int *b = new int[100]; 86f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger b[50] = 0; 87f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger delete [] b; 88f9a7132df8f8e0dd0f54fd603d358fc5a2285011Joerg Sonnenberger 89e29b0aca51e3568a92869daa70c4a0351750fd1eNAKAMURA Takumi int *c = new int; 90e29b0aca51e3568a92869daa70c4a0351750fd1eNAKAMURA Takumi *c = 0; 91e29b0aca51e3568a92869daa70c4a0351750fd1eNAKAMURA Takumi delete c; 92e29b0aca51e3568a92869daa70c4a0351750fd1eNAKAMURA Takumi 938c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__) 948c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int *pm; 958c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int pm_res = posix_memalign((void**)&pm, kPageSize, kPageSize); 968c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_EQ(0, pm_res); 978c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(pm); 988c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#endif 998c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 1008c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#if !defined(__APPLE__) 1018c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int *ma = (int*)memalign(kPageSize, kPageSize); 1028c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 1038c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer ma[123] = 0; 1048c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(ma); 105394855a87d52d71b702cfbf0ec1a223bda9163d4Reid Spencer#endif // __APPLE__ 106cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 107cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke 108cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian GaekeTEST(AddressSanitizer, CallocTest) { 109cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke int *a = (int*)calloc(100, sizeof(int)); 110cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_EQ(0, a[10]); 111cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke free(a); 1128c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 1138c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 1148c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, VallocTest) { 115caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer void *a = valloc(100); 116caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 117caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer free(a); 118ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid Spencer} 119ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid Spencer 120ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid Spencer#ifndef __APPLE__ 1218c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, PvallocTest) { 1228c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char *a = (char*)pvalloc(kPageSize + 100); 1238c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 1248c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer a[kPageSize + 101] = 1; // we should not report an error here. 1258c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(a); 1268c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 1278c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 1288c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 1298c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer a[101] = 1; // we should not report an error here. 1300c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke free(a); 1310c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke} 1320c803894985f80e894b36ad4de58ea4c2e906b07Brian Gaeke#endif // __APPLE__ 133ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson 134ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Andersonvoid *TSDWorker(void *test_key) { 135ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson if (test_key) { 136ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 137ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson } 138ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson return NULL; 1397a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 1407a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 141d59a64797b12dab9dae1842171b4ca9fba302765Brian Gaekevoid TSDDestructor(void *tsd) { 14200ad26ff5760ff2d1b24acb18718e63541088923David Greene // Spawning a thread will check that the current thread id is not -1. 14300ad26ff5760ff2d1b24acb18718e63541088923David Greene pthread_t th; 14400ad26ff5760ff2d1b24acb18718e63541088923David Greene PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 14548fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman PTHREAD_JOIN(th, NULL); 14648fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman} 14748fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman 148267fddbedd3fe05808a198c147948ffb62ebc866Nick Lewycky// This tests triggers the thread-specific data destruction fiasco which occurs 149267fddbedd3fe05808a198c147948ffb62ebc866Nick Lewycky// if we don't manage the TSD destructors ourselves. We create a new pthread 150267fddbedd3fe05808a198c147948ffb62ebc866Nick Lewycky// key with a non-NULL destructor which is likely to be put after the destructor 151fb3dcf875bc4262572fee58ac560379879ab8ee2Nick Lewycky// of AsanThread in the list of destructors. 152fb3dcf875bc4262572fee58ac560379879ab8ee2Nick Lewycky// In this case the TSD for AsanThread will be destroyed before TSDDestructor 153fb3dcf875bc4262572fee58ac560379879ab8ee2Nick Lewycky// is called for the child thread, and a CHECK will fail when we call 154fb3dcf875bc4262572fee58ac560379879ab8ee2Nick Lewycky// pthread_create() to spawn the grandchild. 155fb3dcf875bc4262572fee58ac560379879ab8ee2Nick LewyckyTEST(AddressSanitizer, DISABLED_TSDTest) { 156fb3dcf875bc4262572fee58ac560379879ab8ee2Nick Lewycky pthread_t th; 157af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer pthread_key_t test_key; 1586802b55b6b4b46a2dc965eeeb1f75f1fdc33ba35Brian Gaeke pthread_key_create(&test_key, TSDDestructor); 1597a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 160f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer PTHREAD_JOIN(th, NULL); 161f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer pthread_key_delete(test_key); 162f4bb9b1fa76564704a4ab6c27d5d72180b493e9aReid Spencer} 16396cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer 16496cf58777bf7d28968054b0dd8cb0624a7433e89Reid SpencerTEST(AddressSanitizer, UAF_char) { 16596cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 1667a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 1677a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 1687a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 1697a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 1707a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 1717a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 1729ba8a76f8baaa1092d60ccfbc04e7efdc207c98fAnton Korobeynikov 1739ba8a76f8baaa1092d60ccfbc04e7efdc207c98fAnton KorobeynikovTEST(AddressSanitizer, UAF_long_double) { 1749ba8a76f8baaa1092d60ccfbc04e7efdc207c98fAnton Korobeynikov if (sizeof(long double) == sizeof(double)) return; 1755c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke long double *p = Ident(new long double[10]); 1765c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 10"); 1775c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 10"); 1787a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell delete [] Ident(p); 1797a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 1807a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 1818a2246f32ec6480b6430078ff2c5740a0a11a3fbReid Spencerstruct Packed5 { 1828a2246f32ec6480b6430078ff2c5740a0a11a3fbReid Spencer int x; 1838a2246f32ec6480b6430078ff2c5740a0a11a3fbReid Spencer char c; 184be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer} __attribute__((packed)); 185be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer 186be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer 1878c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, UAF_Packed5) { 1888c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer Packed5 *p = Ident(new Packed5[2]); 1898c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_DEATH(p[0] = p[3], "READ of size 5"); 190cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(p[3] = p[0], "WRITE of size 5"); 191cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke delete [] Ident(p); 192cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 1937a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 1947a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell#if ASAN_HAS_BLACKLIST 1957a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellTEST(AddressSanitizer, IgnoreTest) { 19602cef96a2855b1b01b81d4b3429ed5cd707dd899Brian Gaeke int *x = Ident(new int); 19702cef96a2855b1b01b81d4b3429ed5cd707dd899Brian Gaeke delete Ident(x); 19802cef96a2855b1b01b81d4b3429ed5cd707dd899Brian Gaeke *x = 0; 199af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer} 200c64d41e7063df8598e2eb6d741994292e3baa7cbBrian Gaeke#endif // ASAN_HAS_BLACKLIST 201c64d41e7063df8598e2eb6d741994292e3baa7cbBrian Gaeke 202af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencerstruct StructWithBitField { 203c64d41e7063df8598e2eb6d741994292e3baa7cbBrian Gaeke int bf1:1; 204c64d41e7063df8598e2eb6d741994292e3baa7cbBrian Gaeke int bf2:1; 205af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer int bf3:1; 2065c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke int bf4:29; 2075c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke}; 208af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer 2095c039879649f12c17f6c52c08be9a82d838525f9Brian GaekeTEST(AddressSanitizer, BitFieldPositiveTest) { 2105c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke StructWithBitField *x = new StructWithBitField; 2118c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer delete Ident(x); 2128c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 2138c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 214484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 215484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 216484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer} 2173484a99ba1ecddd221c9c77b321d66edb456a7fcReid Spencer 2183484a99ba1ecddd221c9c77b321d66edb456a7fcReid Spencerstruct StructWithBitFields_8_24 { 2193484a99ba1ecddd221c9c77b321d66edb456a7fcReid Spencer int a:8; 220484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer int b:24; 221484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer}; 222484fc8e38421f5b26593a9edacd734baf844c9e9Reid Spencer 2235da60469f9a9513c28c9d715d818f7d789972e90Edward O'CallaghanTEST(AddressSanitizer, BitFieldNegativeTest) { 2245da60469f9a9513c28c9d715d818f7d789972e90Edward O'Callaghan StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 2255da60469f9a9513c28c9d715d818f7d789972e90Edward O'Callaghan x->a = 0; 2268cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov x->b = 0; 2278cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov delete Ident(x); 2288cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov} 229ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov 230ee03c949b85036b68c261dcc27dca064ee7e525dAlexey SamsonovTEST(AddressSanitizer, OutOfMemoryTest) { 231ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 48) : (0xf0000000); 2327a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_EQ(0, realloc(0, size)); 2337a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_EQ(0, realloc(0, ~Ident(0))); 2347a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_EQ(0, malloc(size)); 235731c6abc469863ca6b8259319991bdc0455fc8b0Nick Lewycky EXPECT_EQ(0, malloc(~Ident(0))); 236731c6abc469863ca6b8259319991bdc0455fc8b0Nick Lewycky EXPECT_EQ(0, calloc(1, size)); 237731c6abc469863ca6b8259319991bdc0455fc8b0Nick Lewycky EXPECT_EQ(0, calloc(1, ~Ident(0))); 238cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 239cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke 240cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke#if ASAN_NEEDS_SEGV 241ff336a4e7f9a71834bb60a540a14dd023e7cbcfdBrian Gaekenamespace { 242ff336a4e7f9a71834bb60a540a14dd023e7cbcfdBrian Gaeke 243ff336a4e7f9a71834bb60a540a14dd023e7cbcfdBrian Gaekeconst char kUnknownCrash[] = "AddressSanitizer: SEGV on unknown address"; 244ff336a4e7f9a71834bb60a540a14dd023e7cbcfdBrian Gaekeconst char kOverriddenHandler[] = "ASan signal handler has been overridden\n"; 245ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson 246ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen AndersonTEST(AddressSanitizer, WildAddressTest) { 247ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson char *c = (char*)0x123; 248ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson EXPECT_DEATH(*c = 0, kUnknownCrash); 249ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson} 250ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson 251ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Andersonvoid my_sigaction_sighandler(int, siginfo_t*, void*) { 252ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson fprintf(stderr, kOverriddenHandler); 253ec643abe6903284fc9ae7b6d9ae5e0b4ad40ad28Owen Anderson exit(1); 254cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer} 255cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer 256cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencervoid my_signal_sighandler(int signum) { 257a6d990a73f5ce41c6ce53d940f807621ecb4d260Reid Spencer fprintf(stderr, kOverriddenHandler); 258a6d990a73f5ce41c6ce53d940f807621ecb4d260Reid Spencer exit(1); 259a6d990a73f5ce41c6ce53d940f807621ecb4d260Reid Spencer} 2608c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 2618c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, SignalTest) { 2628c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer struct sigaction sigact; 263cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke memset(&sigact, 0, sizeof(sigact)); 264cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke sigact.sa_sigaction = my_sigaction_sighandler; 265cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke sigact.sa_flags = SA_SIGINFO; 2667a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell // ASan should silently ignore sigaction()... 2677a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 2687a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell#ifdef __APPLE__ 2690b14259eb2b2663ca9ee02ad8919b27e2723d330Chris Lattner EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 2700b14259eb2b2663ca9ee02ad8919b27e2723d330Chris Lattner#endif 2710b14259eb2b2663ca9ee02ad8919b27e2723d330Chris Lattner char *c = (char*)0x123; 272368c36ff32b93bf8e29fb7a4ff2c3a10f3aec164Chris Lattner EXPECT_DEATH(*c = 0, kUnknownCrash); 273368c36ff32b93bf8e29fb7a4ff2c3a10f3aec164Chris Lattner // ... and signal(). 274368c36ff32b93bf8e29fb7a4ff2c3a10f3aec164Chris Lattner EXPECT_EQ(0, signal(SIGSEGV, my_signal_sighandler)); 2758c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_DEATH(*c = 0, kUnknownCrash); 2768c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 2778c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} // namespace 2788c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#endif 2798c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 2808c8af327b83a210aed30634c908bb4b39f41eedbReid Spencerstatic void TestLargeMalloc(size_t size) { 2817a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char buff[1024]; 2827a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 2837a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 284f9960f769ae574705b4dff4d6253285705a7012aReid Spencer} 285f9960f769ae574705b4dff4d6253285705a7012aReid Spencer 286f9960f769ae574705b4dff4d6253285705a7012aReid SpencerTEST(AddressSanitizer, LargeMallocTest) { 2875c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke for (int i = 113; i < (1 << 28); i = i * 2 + 13) { 2885c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke TestLargeMalloc(i); 2895c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke } 290f9960f769ae574705b4dff4d6253285705a7012aReid Spencer} 291f9960f769ae574705b4dff4d6253285705a7012aReid Spencer 292f9960f769ae574705b4dff4d6253285705a7012aReid SpencerTEST(AddressSanitizer, HugeMallocTest) { 2937a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell if (SANITIZER_WORDSIZE != 64) return; 2947a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell size_t n_megs = 4100; 2957a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell TestLargeMalloc(n_megs << 20); 296cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 297cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke 298cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke#ifndef __APPLE__ 299cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaekevoid MemalignRun(size_t align, size_t size, int idx) { 300cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke char *p = (char *)memalign(align, size); 301cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke Ident(p)[idx] = 0; 302cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke free(p); 3038c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 3048c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 3058c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, memalign) { 306df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer for (int align = 16; align <= (1 << 23); align *= 2) { 307df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer size_t size = align * 5; 308df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer EXPECT_DEATH(MemalignRun(align, size, -1), 30900ad26ff5760ff2d1b24acb18718e63541088923David Greene "is located 1 bytes to the left"); 31000ad26ff5760ff2d1b24acb18718e63541088923David Greene EXPECT_DEATH(MemalignRun(align, size, size + 1), 31100ad26ff5760ff2d1b24acb18718e63541088923David Greene "is located 1 bytes to the right"); 3128c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer } 3138c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 3148c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer#endif 315e429182c013128ecc1cc2ccc6fd457d311003947Eric Christopher 316e429182c013128ecc1cc2ccc6fd457d311003947Eric Christophervoid *ManyThreadsWorker(void *a) { 317e429182c013128ecc1cc2ccc6fd457d311003947Eric Christopher for (int iter = 0; iter < 100; iter++) { 31896cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer for (size_t size = 100; size < 2000; size *= 2) { 31996cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer free(Ident(malloc(size))); 32096cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer } 3215745fbce1674b29f4dce6b6e31556c4c1e83dc89Benjamin Kramer } 3225745fbce1674b29f4dce6b6e31556c4c1e83dc89Benjamin Kramer return 0; 3235745fbce1674b29f4dce6b6e31556c4c1e83dc89Benjamin Kramer} 3248c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 3258c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, ManyThreadsTest) { 3268c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer const size_t kNumThreads = 3279058349aa431ef4cbdea51d30302f88105f61b76Brian Gaeke (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 3289058349aa431ef4cbdea51d30302f88105f61b76Brian Gaeke pthread_t t[kNumThreads]; 3299058349aa431ef4cbdea51d30302f88105f61b76Brian Gaeke for (size_t i = 0; i < kNumThreads; i++) { 33027fcfe1364943dadd99fd0ef5af6793f58acc446Owen Anderson PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 33127fcfe1364943dadd99fd0ef5af6793f58acc446Owen Anderson } 33227fcfe1364943dadd99fd0ef5af6793f58acc446Owen Anderson for (size_t i = 0; i < kNumThreads; i++) { 333f8e9f7c70af05e40a65f75b49073b48941257839Reid Spencer PTHREAD_JOIN(t[i], 0); 334f8e9f7c70af05e40a65f75b49073b48941257839Reid Spencer } 335f8e9f7c70af05e40a65f75b49073b48941257839Reid Spencer} 3364046846d2cb36a6281b853c73776584063cca19dJohn Criswell 3374046846d2cb36a6281b853c73776584063cca19dJohn CriswellTEST(AddressSanitizer, ReallocTest) { 3384046846d2cb36a6281b853c73776584063cca19dJohn Criswell const int kMinElem = 5; 339de8aed2808224f0651400b8efee35830b83020a5Owen Anderson int *ptr = (int*)malloc(sizeof(int) * kMinElem); 340de8aed2808224f0651400b8efee35830b83020a5Owen Anderson ptr[3] = 3; 341de8aed2808224f0651400b8efee35830b83020a5Owen Anderson for (int i = 0; i < 10000; i++) { 342af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer ptr = (int*)realloc(ptr, 343af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer (my_rand() % 1000 + kMinElem) * sizeof(int)); 344af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer EXPECT_EQ(3, ptr[3]); 3458c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer } 3468c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(ptr); 3478c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer // Realloc pointer returned by malloc(0). 348f9960f769ae574705b4dff4d6253285705a7012aReid Spencer int *ptr2 = Ident((int*)malloc(0)); 349f9960f769ae574705b4dff4d6253285705a7012aReid Spencer ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2))); 350f9960f769ae574705b4dff4d6253285705a7012aReid Spencer *ptr2 = 42; 3518c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_EQ(42, *ptr2); 3528c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(ptr2); 3538c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 354df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer 355df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid SpencerTEST(AddressSanitizer, ZeroSizeMallocTest) { 3568085cff7ebbee3efd932b8f27f67187a4ba707e1Reid Spencer // Test that malloc(0) and similar functions don't return NULL. 35796cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer void *ptr = Ident(malloc(0)); 35896cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer EXPECT_TRUE(NULL != ptr); 35996cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer free(ptr); 360df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer#if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__) 361df3be82dcbf61bd4ad9e13e93dfbf37a7a46ee51Reid Spencer int pm_res = posix_memalign(&ptr, 1<<20, 0); 3628085cff7ebbee3efd932b8f27f67187a4ba707e1Reid Spencer EXPECT_EQ(0, pm_res); 3639d9c19cf9672d4a19237b9bf7c22cbb0c5809b07Reid Spencer EXPECT_TRUE(NULL != ptr); 3649d9c19cf9672d4a19237b9bf7c22cbb0c5809b07Reid Spencer free(ptr); 3659d9c19cf9672d4a19237b9bf7c22cbb0c5809b07Reid Spencer#endif 366b7a8d400be7ce9e275c6e09a2a90fbacd0566476Jeffrey Yasskin int *int_ptr = new int[0]; 367b7a8d400be7ce9e275c6e09a2a90fbacd0566476Jeffrey Yasskin int *int_ptr2 = new int[0]; 368b7a8d400be7ce9e275c6e09a2a90fbacd0566476Jeffrey Yasskin EXPECT_TRUE(NULL != int_ptr); 369cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer EXPECT_TRUE(NULL != int_ptr2); 370cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer EXPECT_NE(int_ptr, int_ptr2); 371cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer delete[] int_ptr; 372cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer delete[] int_ptr2; 373cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer} 374cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer 37559473af39565dcff7416426b8aaed3ad63476c81Reid Spencer#ifndef __APPLE__ 37659473af39565dcff7416426b8aaed3ad63476c81Reid Spencerstatic const char *kMallocUsableSizeErrorMsg = 37759473af39565dcff7416426b8aaed3ad63476c81Reid Spencer "AddressSanitizer: attempting to call malloc_usable_size()"; 3788c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 3798c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, MallocUsableSizeTest) { 3808c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer const size_t kArraySize = 100; 381cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer char *array = Ident((char*)malloc(kArraySize)); 382cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer int *int_ptr = Ident(new int); 383cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer EXPECT_EQ(0U, malloc_usable_size(NULL)); 38459473af39565dcff7416426b8aaed3ad63476c81Reid Spencer EXPECT_EQ(kArraySize, malloc_usable_size(array)); 38559473af39565dcff7416426b8aaed3ad63476c81Reid Spencer EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 38659473af39565dcff7416426b8aaed3ad63476c81Reid Spencer EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 387cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 388cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer kMallocUsableSizeErrorMsg); 389cdb08a3691b0949ea9fea690571631e1a842bf3aReid Spencer free(array); 3907a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 3917a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 3927a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell#endif 3938c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 3948c8af327b83a210aed30634c908bb4b39f41eedbReid Spencervoid WrongFree() { 3958c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int *x = (int*)malloc(100 * sizeof(int)); 3967a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell // Use the allocated memory, otherwise Clang will optimize it out. 3977a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell Ident(x); 3987a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell free(x + 1); 399af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer} 400c64d41e7063df8598e2eb6d741994292e3baa7cbBrian Gaeke 401c64d41e7063df8598e2eb6d741994292e3baa7cbBrian GaekeTEST(AddressSanitizer, WrongFreeTest) { 402af362fc492bf0bfc6e43e3025621834ea031a29eReid Spencer EXPECT_DEATH(WrongFree(), 4035c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke "ERROR: AddressSanitizer: attempting free.*not malloc"); 4045c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke} 4058c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 4068c8af327b83a210aed30634c908bb4b39f41eedbReid Spencervoid DoubleFree() { 4078c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer int *x = (int*)malloc(100 * sizeof(int)); 4088c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer fprintf(stderr, "DoubleFree: x=%p\n", x); 4098c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(x); 4108c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(x); 4117a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell fprintf(stderr, "should have failed in the second free(%p)\n", x); 4127a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell abort(); 4137a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 4147931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer 4157931a7867b602fa159f1939daf37756d9c3b1532Reid SpencerTEST(AddressSanitizer, DoubleFreeTest) { 4167931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 4177931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer "ERROR: AddressSanitizer: attempting double-free" 4187931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer ".*is located 0 bytes inside of 400-byte region" 4197931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer ".*freed by thread T0 here" 4207a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell ".*previously allocated by thread T0 here"); 4217a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 4227a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 4237a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswelltemplate<int kSize> 4247a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellNOINLINE void SizedStackTest() { 4257a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char a[kSize]; 4268c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char *A = Ident((char*)&a); 4278c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer for (size_t i = 0; i < kSize; i++) 4288c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer A[i] = i; 42996cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer EXPECT_DEATH(A[-1] = 0, ""); 43096cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer EXPECT_DEATH(A[-20] = 0, ""); 43196cf58777bf7d28968054b0dd8cb0624a7433e89Reid Spencer EXPECT_DEATH(A[-31] = 0, ""); 432cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(A[kSize] = 0, ""); 433cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(A[kSize + 1] = 0, ""); 434cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(A[kSize + 10] = 0, ""); 435cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(A[kSize + 31] = 0, ""); 436cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 437cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke 43851a33548d46a338a251eb48a937bc2eec758a01cReid SpencerTEST(AddressSanitizer, SimpleStackTest) { 43951a33548d46a338a251eb48a937bc2eec758a01cReid Spencer SizedStackTest<1>(); 44051a33548d46a338a251eb48a937bc2eec758a01cReid Spencer SizedStackTest<2>(); 4418c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<3>(); 4428c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<4>(); 4438c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<5>(); 4448c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<6>(); 4458c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<7>(); 4468c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<16>(); 4478c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer SizedStackTest<25>(); 44801746745f1287effa1772ef51b973988afcea699Douglas Gregor SizedStackTest<34>(); 44901746745f1287effa1772ef51b973988afcea699Douglas Gregor SizedStackTest<43>(); 45001746745f1287effa1772ef51b973988afcea699Douglas Gregor SizedStackTest<51>(); 451cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke SizedStackTest<62>(); 452cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke SizedStackTest<64>(); 453cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke SizedStackTest<128>(); 4548c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 4558c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 4568c8af327b83a210aed30634c908bb4b39f41eedbReid SpencerTEST(AddressSanitizer, ManyStackObjectsTest) { 4578c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char XXX[10]; 45859473af39565dcff7416426b8aaed3ad63476c81Reid Spencer char YYY[20]; 45959473af39565dcff7416426b8aaed3ad63476c81Reid Spencer char ZZZ[30]; 46059473af39565dcff7416426b8aaed3ad63476c81Reid Spencer Ident(XXX); 461cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke Ident(YYY); 462cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 463cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 4647a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 4657a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellNOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 4667a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char d[4] = {0}; 4677a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char *D = Ident(d); 4687a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell switch (frame) { 4697a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell case 3: a[5]++; break; 4707a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell case 2: b[5]++; break; 4717a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell case 1: c[5]++; break; 4727a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell case 0: D[5]++; break; 4733e46293c27ee6d35240d6308a84be0f2c2e91940Daniel Dunbar } 4743e46293c27ee6d35240d6308a84be0f2c2e91940Daniel Dunbar} 4753e46293c27ee6d35240d6308a84be0f2c2e91940Daniel DunbarNOINLINE static void Frame1(int frame, char *a, char *b) { 4767a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char c[4] = {0}; Frame0(frame, a, b, c); 4777a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell break_optimization(0); 4787a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 479071d73d67e7cea60e7334f6ae96c1e8f8050a662Douglas GregorNOINLINE static void Frame2(int frame, char *a) { 480071d73d67e7cea60e7334f6ae96c1e8f8050a662Douglas Gregor char b[4] = {0}; Frame1(frame, a, b); 481071d73d67e7cea60e7334f6ae96c1e8f8050a662Douglas Gregor break_optimization(0); 48200ad26ff5760ff2d1b24acb18718e63541088923David Greene} 48300ad26ff5760ff2d1b24acb18718e63541088923David GreeneNOINLINE static void Frame3(int frame) { 48400ad26ff5760ff2d1b24acb18718e63541088923David Greene char a[4] = {0}; Frame2(frame, a); 485cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke break_optimization(0); 486cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke} 487cbeedf73d403ca0b65b3d4151b5630c5e335055bBrian Gaeke 4887a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellTEST(AddressSanitizer, GuiltyStackFrame0Test) { 4897a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 4907a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 49159473af39565dcff7416426b8aaed3ad63476c81Reid SpencerTEST(AddressSanitizer, GuiltyStackFrame1Test) { 49259473af39565dcff7416426b8aaed3ad63476c81Reid Spencer EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 49359473af39565dcff7416426b8aaed3ad63476c81Reid Spencer} 4941f4a27947f5d7840df45ea9e757b88e6269bda5fReid SpencerTEST(AddressSanitizer, GuiltyStackFrame2Test) { 4951f4a27947f5d7840df45ea9e757b88e6269bda5fReid Spencer EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 4961f4a27947f5d7840df45ea9e757b88e6269bda5fReid Spencer} 497f28411f732960981f8920195ad8f7e6792396961Jeffrey YasskinTEST(AddressSanitizer, GuiltyStackFrame3Test) { 498f28411f732960981f8920195ad8f7e6792396961Jeffrey Yasskin EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 499f28411f732960981f8920195ad8f7e6792396961Jeffrey Yasskin} 5005c039879649f12c17f6c52c08be9a82d838525f9Brian Gaeke 501b2815e0139727b78a701af5fb66676944b859e2dJohn CriswellNOINLINE void LongJmpFunc1(jmp_buf buf) { 502b2815e0139727b78a701af5fb66676944b859e2dJohn Criswell // create three red zones for these two stack objects. 5033e46293c27ee6d35240d6308a84be0f2c2e91940Daniel Dunbar int a; 5043e46293c27ee6d35240d6308a84be0f2c2e91940Daniel Dunbar int b; 5053e46293c27ee6d35240d6308a84be0f2c2e91940Daniel Dunbar 50648fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman int *A = Ident(&a); 50748fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman int *B = Ident(&b); 50848fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman *A = *B; 509ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov longjmp(buf, 1); 510ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov} 511ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov 5121f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA TakumiNOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 5131f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi // create three red zones for these two stack objects. 5141f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int a; 5151f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int b; 5161f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5171f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *A = Ident(&a); 5181f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *B = Ident(&b); 5191f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi *A = *B; 5201f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi __builtin_longjmp((void**)buf, 1); 5211f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi} 5221f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5231f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA TakumiNOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 5241f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi // create three red zones for these two stack objects. 5251f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int a; 5261f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int b; 5271f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5281f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *A = Ident(&a); 5291f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *B = Ident(&b); 5301f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi *A = *B; 5311f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi _longjmp(buf, 1); 5321f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi} 5333b30a6e92d1da79674451879d4112a8f83cc12a4Anton Korobeynikov 5343b30a6e92d1da79674451879d4112a8f83cc12a4Anton KorobeynikovNOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 5353b30a6e92d1da79674451879d4112a8f83cc12a4Anton Korobeynikov // create three red zones for these two stack objects. 5361f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int a; 5371f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int b; 5381f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5391f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *A = Ident(&a); 5401f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *B = Ident(&b); 5411f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi *A = *B; 5421f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi siglongjmp(buf, 1); 5431f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi} 5441f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5451f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5461f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA TakumiNOINLINE void TouchStackFunc() { 5471f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int a[100]; // long array will intersect with redzones from LongJmpFunc1. 5481f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi int *A = Ident(a); 5491f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi for (int i = 0; i < 100; i++) 5501f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi A[i] = i*i; 5511f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi} 5521f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 5531f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi// Test that we handle longjmp and do not report fals positives on stack. 5541f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA TakumiTEST(AddressSanitizer, LongJmpTest) { 5551f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi static jmp_buf buf; 5561f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi if (!setjmp(buf)) { 5571f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi LongJmpFunc1(buf); 5581f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi } else { 5591f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi TouchStackFunc(); 5601f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi } 5611f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi} 5621f6832a858db891b7a7b08d438afb373eefa628cNAKAMURA Takumi 563ee0f32d723431cdae943e8a8d45ecdb856a0e76cDaniel Dunbar#if not defined(__ANDROID__) 564ee0f32d723431cdae943e8a8d45ecdb856a0e76cDaniel DunbarTEST(AddressSanitizer, BuiltinLongJmpTest) { 565ee0f32d723431cdae943e8a8d45ecdb856a0e76cDaniel Dunbar static jmp_buf buf; 5661cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer if (!__builtin_setjmp((void**)buf)) { 5671cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer BuiltinLongJmpFunc1(buf); 5681cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer } else { 5691cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer TouchStackFunc(); 5701cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer } 5711cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer} 5720abe116022a45879d5f17e6c4964769f24bb05aaGordon Henriksen#endif // not defined(__ANDROID__) 5731cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer 5741cd3bee548ef0395065d5e789119c7654f239b2cReid SpencerTEST(AddressSanitizer, UnderscopeLongJmpTest) { 575de2e0b5e6d5aa7eccf62df17b86c31b39732bf86Sebastian Pop static jmp_buf buf; 576de2e0b5e6d5aa7eccf62df17b86c31b39732bf86Sebastian Pop if (!_setjmp(buf)) { 577de2e0b5e6d5aa7eccf62df17b86c31b39732bf86Sebastian Pop UnderscopeLongJmpFunc1(buf); 5780abe116022a45879d5f17e6c4964769f24bb05aaGordon Henriksen } else { 5790abe116022a45879d5f17e6c4964769f24bb05aaGordon Henriksen TouchStackFunc(); 5800abe116022a45879d5f17e6c4964769f24bb05aaGordon Henriksen } 581c73f3d1ce7dc236169fcb5f9149562bb50986cd9NAKAMURA Takumi} 582c73f3d1ce7dc236169fcb5f9149562bb50986cd9NAKAMURA Takumi 583c73f3d1ce7dc236169fcb5f9149562bb50986cd9NAKAMURA TakumiTEST(AddressSanitizer, SigLongJmpTest) { 584ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov static sigjmp_buf buf; 585ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov if (!sigsetjmp(buf, 1)) { 586ee03c949b85036b68c261dcc27dca064ee7e525dAlexey Samsonov SigLongJmpFunc1(buf); 587ff22c42e0ee8e526352f3ac84ae9dd0d0bec2519Reid Spencer } else { 588ff22c42e0ee8e526352f3ac84ae9dd0d0bec2519Reid Spencer TouchStackFunc(); 589ff22c42e0ee8e526352f3ac84ae9dd0d0bec2519Reid Spencer } 590776d99342b05872d6022ee9ff87bf195e3cd8491Eric Christopher} 591776d99342b05872d6022ee9ff87bf195e3cd8491Eric Christopher 592776d99342b05872d6022ee9ff87bf195e3cd8491Eric Christopher#ifdef __EXCEPTIONS 5932864de7c2d764a4be44bed073afadb663fdbb2ddNAKAMURA TakumiNOINLINE void ThrowFunc() { 5942864de7c2d764a4be44bed073afadb663fdbb2ddNAKAMURA Takumi // create three red zones for these two stack objects. 5952864de7c2d764a4be44bed073afadb663fdbb2ddNAKAMURA Takumi int a; 5961cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer int b; 5971cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer 5981cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer int *A = Ident(&a); 5991cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer int *B = Ident(&b); 6001cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer *A = *B; 6011cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer ASAN_THROW(1); 6021cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer} 6031cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer 6041cd3bee548ef0395065d5e789119c7654f239b2cReid SpencerTEST(AddressSanitizer, CxxExceptionTest) { 6051cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer if (ASAN_UAR) return; 6061cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer // TODO(kcc): this test crashes on 32-bit for some reason... 6071cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer if (SANITIZER_WORDSIZE == 32) return; 6080711c303765d858a0aa75f76b6ad3c90542416d4Douglas Gregor try { 6090711c303765d858a0aa75f76b6ad3c90542416d4Douglas Gregor ThrowFunc(); 6100711c303765d858a0aa75f76b6ad3c90542416d4Douglas Gregor } catch(...) {} 611dd54ffda263a17bddb0ad04a670916125972929aJan Sjödin TouchStackFunc(); 612dd54ffda263a17bddb0ad04a670916125972929aJan Sjödin} 613dd54ffda263a17bddb0ad04a670916125972929aJan Sjödin#endif 614753f3265dafdcfeec07b561ca278524c35477583Eric Christopher 615753f3265dafdcfeec07b561ca278524c35477583Eric Christophervoid *ThreadStackReuseFunc1(void *unused) { 616753f3265dafdcfeec07b561ca278524c35477583Eric Christopher // create three red zones for these two stack objects. 617c4b2271d4aa5c98417d6582b4f0b69fbe5e61cb9Eric Christopher int a; 618c4b2271d4aa5c98417d6582b4f0b69fbe5e61cb9Eric Christopher int b; 619c4b2271d4aa5c98417d6582b4f0b69fbe5e61cb9Eric Christopher 620753f3265dafdcfeec07b561ca278524c35477583Eric Christopher int *A = Ident(&a); 621753f3265dafdcfeec07b561ca278524c35477583Eric Christopher int *B = Ident(&b); 622753f3265dafdcfeec07b561ca278524c35477583Eric Christopher *A = *B; 623753f3265dafdcfeec07b561ca278524c35477583Eric Christopher pthread_exit(0); 624753f3265dafdcfeec07b561ca278524c35477583Eric Christopher return 0; 625b1247c313dc319313fffec57e7b68532cb6a2d12Daniel Dunbar} 6264362c6225ede377e05a8f3da7072a0a836e5da0bNAKAMURA Takumi 6274362c6225ede377e05a8f3da7072a0a836e5da0bNAKAMURA Takumivoid *ThreadStackReuseFunc2(void *unused) { 6284362c6225ede377e05a8f3da7072a0a836e5da0bNAKAMURA Takumi TouchStackFunc(); 6297b3e851e2bc9014782e3cae379c4f1561380acbfReid Spencer return 0; 6307b3e851e2bc9014782e3cae379c4f1561380acbfReid Spencer} 6317b3e851e2bc9014782e3cae379c4f1561380acbfReid Spencer 6327b3e851e2bc9014782e3cae379c4f1561380acbfReid SpencerTEST(AddressSanitizer, ThreadStackReuseTest) { 6337b3e851e2bc9014782e3cae379c4f1561380acbfReid Spencer pthread_t t; 6347b3e851e2bc9014782e3cae379c4f1561380acbfReid Spencer PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 63500ad26ff5760ff2d1b24acb18718e63541088923David Greene PTHREAD_JOIN(t, 0); 63600ad26ff5760ff2d1b24acb18718e63541088923David Greene PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 63700ad26ff5760ff2d1b24acb18718e63541088923David Greene PTHREAD_JOIN(t, 0); 638caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer} 639caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer 640caf0ecec9ed4411280f16b81f43bcca1940a32deReid Spencer#if defined(__i386__) || defined(__x86_64__) 641ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid SpencerTEST(AddressSanitizer, Store128Test) { 642ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid Spencer char *a = Ident((char*)malloc(Ident(12))); 643ecbd242833cadb8b22006143d5ee4c1152bc81e3Reid Spencer char *p = a; 64400ad26ff5760ff2d1b24acb18718e63541088923David Greene if (((uintptr_t)a % 16) != 0) 64500ad26ff5760ff2d1b24acb18718e63541088923David Greene p = a + 8; 64600ad26ff5760ff2d1b24acb18718e63541088923David Greene assert(((uintptr_t)p % 16) == 0); 647c232a658274117b8db1f6dfd1aa2dbb3ab390381Reid Spencer __m128i value_wide = _mm_set1_epi16(0x1234); 648c232a658274117b8db1f6dfd1aa2dbb3ab390381Reid Spencer EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 649c232a658274117b8db1f6dfd1aa2dbb3ab390381Reid Spencer "AddressSanitizer: heap-buffer-overflow"); 650be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 651be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer "WRITE of size 16"); 652be13028264888b01ac6fcd46667cf31a7e84e9cfReid Spencer EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 65300ad26ff5760ff2d1b24acb18718e63541088923David Greene "located 0 bytes to the right of 12-byte"); 65400ad26ff5760ff2d1b24acb18718e63541088923David Greene free(a); 65500ad26ff5760ff2d1b24acb18718e63541088923David Greene} 65600ad26ff5760ff2d1b24acb18718e63541088923David Greene#endif 65700ad26ff5760ff2d1b24acb18718e63541088923David Greene 65800ad26ff5760ff2d1b24acb18718e63541088923David Greenestring RightOOBErrorMessage(int oob_distance, bool is_write) { 65948fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman assert(oob_distance >= 0); 66048fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman char expected_str[100]; 66148fd5a79e023bf6a647dfabb2bbb4c2f98617b81Dan Gohman sprintf(expected_str, ASAN_PCRE_DOTALL 6621cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer "buffer-overflow.*%s.*located %d bytes to the right", 6631cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer is_write ? "WRITE" : "READ", oob_distance); 6641cd3bee548ef0395065d5e789119c7654f239b2cReid Spencer return string(expected_str); 66561b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Bendersky} 66661b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Bendersky 66761b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Benderskystring RightOOBWriteMessage(int oob_distance) { 66861b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Bendersky return RightOOBErrorMessage(oob_distance, /*is_write*/true); 66961b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Bendersky} 67061b1851a205cb8dd29c1d3d4231efb8f8f7da283Eli Bendersky 671fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmithstring RightOOBReadMessage(int oob_distance) { 672fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmith return RightOOBErrorMessage(oob_distance, /*is_write*/false); 673fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmith} 674fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmith 675fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmithstring LeftOOBErrorMessage(int oob_distance, bool is_write) { 676fde8237cd9c7e0eb503e6c53994c9c9d19cbb4c6Dylan Noblesmith assert(oob_distance > 0); 6778c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char expected_str[100]; 6788c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer sprintf(expected_str, ASAN_PCRE_DOTALL "%s.*located %d bytes to the left", 6798c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer is_write ? "WRITE" : "READ", oob_distance); 6808c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer return string(expected_str); 6818c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 6828c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 6838c8af327b83a210aed30634c908bb4b39f41eedbReid Spencerstring LeftOOBWriteMessage(int oob_distance) { 6848c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 6858c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 6868c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 6878c8af327b83a210aed30634c908bb4b39f41eedbReid Spencerstring LeftOOBReadMessage(int oob_distance) { 6888c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 6898c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 6908c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 6918c8af327b83a210aed30634c908bb4b39f41eedbReid Spencerstring LeftOOBAccessMessage(int oob_distance) { 6928c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer assert(oob_distance > 0); 6938c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char expected_str[100]; 6947931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer sprintf(expected_str, "located %d bytes to the left", oob_distance); 6957931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer return string(expected_str); 6967931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer} 6977931a7867b602fa159f1939daf37756d9c3b1532Reid Spencer 6988c8af327b83a210aed30634c908bb4b39f41eedbReid Spencerchar* MallocAndMemsetString(size_t size, char ch) { 6998c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char *s = Ident((char*)malloc(size)); 7008c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer memset(s, ch, size); 7017a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell return s; 7027a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 7037a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 7047a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswellchar* MallocAndMemsetString(size_t size) { 7057a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell return MallocAndMemsetString(size, 'z'); 7067a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 7077a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 7087a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell#if defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__) 7097a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell#define READ_TEST(READ_N_BYTES) \ 7107a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell char *x = new char[10]; \ 7117a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell int fd = open("/proc/self/stat", O_RDONLY); \ 7127a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell ASSERT_GT(fd, 0); \ 7137a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell EXPECT_DEATH(READ_N_BYTES, \ 7147a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell ASAN_PCRE_DOTALL \ 7157a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell "AddressSanitizer: heap-buffer-overflow" \ 7167a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell ".* is located 0 bytes to the right of 10-byte region"); \ 7177a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell close(fd); \ 7187a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell delete [] x; \ 71959473af39565dcff7416426b8aaed3ad63476c81Reid Spencer 72059473af39565dcff7416426b8aaed3ad63476c81Reid SpencerTEST(AddressSanitizer, pread) { 72159473af39565dcff7416426b8aaed3ad63476c81Reid Spencer READ_TEST(pread(fd, x, 15, 0)); 722360fa9a29d65b6c9b69fb2ba9712d69098cfca13Eric Christopher} 723360fa9a29d65b6c9b69fb2ba9712d69098cfca13Eric Christopher 724360fa9a29d65b6c9b69fb2ba9712d69098cfca13Eric ChristopherTEST(AddressSanitizer, pread64) { 7257a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell READ_TEST(pread64(fd, x, 15, 0)); 7267a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 7277a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 7287a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellTEST(AddressSanitizer, read) { 7297a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell READ_TEST(read(fd, x, 15)); 7307a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell} 7318cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov#endif // defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__) 7328cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov 7338cd4c3e6534a14566bf163301fd45bca34e655c1Anton Korobeynikov// This test case fails 7346073a0524023454324d2575e8667c72666597bfeNAKAMURA Takumi// Clang optimizes memcpy/memset calls which lead to unaligned access 7356073a0524023454324d2575e8667c72666597bfeNAKAMURA TakumiTEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 7366073a0524023454324d2575e8667c72666597bfeNAKAMURA Takumi int size = Ident(4096); 7378c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer char *s = Ident((char*)malloc(size)); 7388c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 7398c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer free(s); 7408c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer} 7418c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer 7428c8af327b83a210aed30634c908bb4b39f41eedbReid Spencer// TODO(samsonov): Add a test with malloc(0) 7437a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell// TODO(samsonov): Add tests for str* and mem* functions. 7447a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell 7457a73b80b9052136c8cd2234eb3433a07df7cf38eJohn CriswellNOINLINE static int LargeFunction(bool do_bad_access) { 746a773bd54f32ceb55af08286fe00c6ec1b73e5b9aReid Spencer int *x = new int[100]; 7477a73b80b9052136c8cd2234eb3433a07df7cf38eJohn Criswell x[0]++; 748d442d2846a00c0ac2f031deba06b7e0d003f14adEric Christopher x[1]++; 749d442d2846a00c0ac2f031deba06b7e0d003f14adEric Christopher x[2]++; 750 x[3]++; 751 x[4]++; 752 x[5]++; 753 x[6]++; 754 x[7]++; 755 x[8]++; 756 x[9]++; 757 758 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 759 760 x[10]++; 761 x[11]++; 762 x[12]++; 763 x[13]++; 764 x[14]++; 765 x[15]++; 766 x[16]++; 767 x[17]++; 768 x[18]++; 769 x[19]++; 770 771 delete x; 772 return res; 773} 774 775// Test the we have correct debug info for the failing instruction. 776// This test requires the in-process symbolizer to be enabled by default. 777TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 778 int failing_line = LargeFunction(false); 779 char expected_warning[128]; 780 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 781 EXPECT_DEATH(LargeFunction(true), expected_warning); 782} 783 784// Check that we unwind and symbolize correctly. 785TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 786 int *a = (int*)malloc_aaa(sizeof(int)); 787 *a = 1; 788 free_aaa(a); 789 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 790 "malloc_fff.*malloc_eee.*malloc_ddd"); 791} 792 793static bool TryToSetThreadName(const char *name) { 794#if defined(__linux__) && defined(PR_SET_NAME) 795 return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 796#else 797 return false; 798#endif 799} 800 801void *ThreadedTestAlloc(void *a) { 802 EXPECT_EQ(true, TryToSetThreadName("AllocThr")); 803 int **p = (int**)a; 804 *p = new int; 805 return 0; 806} 807 808void *ThreadedTestFree(void *a) { 809 EXPECT_EQ(true, TryToSetThreadName("FreeThr")); 810 int **p = (int**)a; 811 delete *p; 812 return 0; 813} 814 815void *ThreadedTestUse(void *a) { 816 EXPECT_EQ(true, TryToSetThreadName("UseThr")); 817 int **p = (int**)a; 818 **p = 1; 819 return 0; 820} 821 822void ThreadedTestSpawn() { 823 pthread_t t; 824 int *x; 825 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 826 PTHREAD_JOIN(t, 0); 827 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 828 PTHREAD_JOIN(t, 0); 829 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 830 PTHREAD_JOIN(t, 0); 831} 832 833TEST(AddressSanitizer, ThreadedTest) { 834 EXPECT_DEATH(ThreadedTestSpawn(), 835 ASAN_PCRE_DOTALL 836 "Thread T.*created" 837 ".*Thread T.*created" 838 ".*Thread T.*created"); 839} 840 841void *ThreadedTestFunc(void *unused) { 842 // Check if prctl(PR_SET_NAME) is supported. Return if not. 843 if (!TryToSetThreadName("TestFunc")) 844 return 0; 845 EXPECT_DEATH(ThreadedTestSpawn(), 846 ASAN_PCRE_DOTALL 847 "WRITE .*thread T. .UseThr." 848 ".*freed by thread T. .FreeThr. here:" 849 ".*previously allocated by thread T. .AllocThr. here:" 850 ".*Thread T. .UseThr. created by T.*TestFunc" 851 ".*Thread T. .FreeThr. created by T" 852 ".*Thread T. .AllocThr. created by T" 853 ""); 854 return 0; 855} 856 857TEST(AddressSanitizer, ThreadNamesTest) { 858 // Run ThreadedTestFunc in a separate thread because it tries to set a 859 // thread name and we don't want to change the main thread's name. 860 pthread_t t; 861 PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0); 862 PTHREAD_JOIN(t, 0); 863} 864 865#if ASAN_NEEDS_SEGV 866TEST(AddressSanitizer, ShadowGapTest) { 867#if SANITIZER_WORDSIZE == 32 868 char *addr = (char*)0x22000000; 869#else 870 char *addr = (char*)0x0000100000080000; 871#endif 872 EXPECT_DEATH(*addr = 1, "AddressSanitizer: SEGV on unknown"); 873} 874#endif // ASAN_NEEDS_SEGV 875 876extern "C" { 877NOINLINE static void UseThenFreeThenUse() { 878 char *x = Ident((char*)malloc(8)); 879 *x = 1; 880 free_aaa(x); 881 *x = 2; 882} 883} 884 885TEST(AddressSanitizer, UseThenFreeThenUseTest) { 886 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 887} 888 889TEST(AddressSanitizer, StrDupTest) { 890 free(strdup(Ident("123"))); 891} 892 893// Currently we create and poison redzone at right of global variables. 894static char static110[110]; 895const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 896static const char StaticConstGlob[3] = {9, 8, 7}; 897 898TEST(AddressSanitizer, GlobalTest) { 899 static char func_static15[15]; 900 901 static char fs1[10]; 902 static char fs2[10]; 903 static char fs3[10]; 904 905 glob5[Ident(0)] = 0; 906 glob5[Ident(1)] = 0; 907 glob5[Ident(2)] = 0; 908 glob5[Ident(3)] = 0; 909 glob5[Ident(4)] = 0; 910 911 EXPECT_DEATH(glob5[Ident(5)] = 0, 912 "0 bytes to the right of global variable.*glob5.* size 5"); 913 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 914 "6 bytes to the right of global variable.*glob5.* size 5"); 915 Ident(static110); // avoid optimizations 916 static110[Ident(0)] = 0; 917 static110[Ident(109)] = 0; 918 EXPECT_DEATH(static110[Ident(110)] = 0, 919 "0 bytes to the right of global variable"); 920 EXPECT_DEATH(static110[Ident(110+7)] = 0, 921 "7 bytes to the right of global variable"); 922 923 Ident(func_static15); // avoid optimizations 924 func_static15[Ident(0)] = 0; 925 EXPECT_DEATH(func_static15[Ident(15)] = 0, 926 "0 bytes to the right of global variable"); 927 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 928 "9 bytes to the right of global variable"); 929 930 Ident(fs1); 931 Ident(fs2); 932 Ident(fs3); 933 934 // We don't create left redzones, so this is not 100% guaranteed to fail. 935 // But most likely will. 936 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 937 938 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 939 "is located 1 bytes to the right of .*ConstGlob"); 940 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 941 "is located 2 bytes to the right of .*StaticConstGlob"); 942 943 // call stuff from another file. 944 GlobalsTest(0); 945} 946 947TEST(AddressSanitizer, GlobalStringConstTest) { 948 static const char *zoo = "FOOBAR123"; 949 const char *p = Ident(zoo); 950 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 951} 952 953TEST(AddressSanitizer, FileNameInGlobalReportTest) { 954 static char zoo[10]; 955 const char *p = Ident(zoo); 956 // The file name should be present in the report. 957 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 958} 959 960int *ReturnsPointerToALocalObject() { 961 int a = 0; 962 return Ident(&a); 963} 964 965#if ASAN_UAR == 1 966TEST(AddressSanitizer, LocalReferenceReturnTest) { 967 int *(*f)() = Ident(ReturnsPointerToALocalObject); 968 int *p = f(); 969 // Call 'f' a few more times, 'p' should still be poisoned. 970 for (int i = 0; i < 32; i++) 971 f(); 972 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 973 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 974} 975#endif 976 977template <int kSize> 978NOINLINE static void FuncWithStack() { 979 char x[kSize]; 980 Ident(x)[0] = 0; 981 Ident(x)[kSize-1] = 0; 982} 983 984static void LotsOfStackReuse() { 985 int LargeStack[10000]; 986 Ident(LargeStack)[0] = 0; 987 for (int i = 0; i < 10000; i++) { 988 FuncWithStack<128 * 1>(); 989 FuncWithStack<128 * 2>(); 990 FuncWithStack<128 * 4>(); 991 FuncWithStack<128 * 8>(); 992 FuncWithStack<128 * 16>(); 993 FuncWithStack<128 * 32>(); 994 FuncWithStack<128 * 64>(); 995 FuncWithStack<128 * 128>(); 996 FuncWithStack<128 * 256>(); 997 FuncWithStack<128 * 512>(); 998 Ident(LargeStack)[0] = 0; 999 } 1000} 1001 1002TEST(AddressSanitizer, StressStackReuseTest) { 1003 LotsOfStackReuse(); 1004} 1005 1006TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1007 const int kNumThreads = 20; 1008 pthread_t t[kNumThreads]; 1009 for (int i = 0; i < kNumThreads; i++) { 1010 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1011 } 1012 for (int i = 0; i < kNumThreads; i++) { 1013 PTHREAD_JOIN(t[i], 0); 1014 } 1015} 1016 1017static void *PthreadExit(void *a) { 1018 pthread_exit(0); 1019 return 0; 1020} 1021 1022TEST(AddressSanitizer, PthreadExitTest) { 1023 pthread_t t; 1024 for (int i = 0; i < 1000; i++) { 1025 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1026 PTHREAD_JOIN(t, 0); 1027 } 1028} 1029 1030#ifdef __EXCEPTIONS 1031NOINLINE static void StackReuseAndException() { 1032 int large_stack[1000]; 1033 Ident(large_stack); 1034 ASAN_THROW(1); 1035} 1036 1037// TODO(kcc): support exceptions with use-after-return. 1038TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1039 for (int i = 0; i < 10000; i++) { 1040 try { 1041 StackReuseAndException(); 1042 } catch(...) { 1043 } 1044 } 1045} 1046#endif 1047 1048TEST(AddressSanitizer, MlockTest) { 1049 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1050 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1051 EXPECT_EQ(0, munlockall()); 1052 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1053} 1054 1055struct LargeStruct { 1056 int foo[100]; 1057}; 1058 1059// Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1060// Struct copy should not cause asan warning even if lhs == rhs. 1061TEST(AddressSanitizer, LargeStructCopyTest) { 1062 LargeStruct a; 1063 *Ident(&a) = *Ident(&a); 1064} 1065 1066ATTRIBUTE_NO_ADDRESS_SAFETY_ANALYSIS 1067static void NoAddressSafety() { 1068 char *foo = new char[10]; 1069 Ident(foo)[10] = 0; 1070 delete [] foo; 1071} 1072 1073TEST(AddressSanitizer, AttributeNoAddressSafetyTest) { 1074 Ident(NoAddressSafety)(); 1075} 1076 1077// It doesn't work on Android, as calls to new/delete go through malloc/free. 1078#if !defined(ANDROID) && !defined(__ANDROID__) 1079static string MismatchStr(const string &str) { 1080 return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str; 1081} 1082 1083TEST(AddressSanitizer, AllocDeallocMismatch) { 1084 EXPECT_DEATH(free(Ident(new int)), 1085 MismatchStr("operator new vs free")); 1086 EXPECT_DEATH(free(Ident(new int[2])), 1087 MismatchStr("operator new \\[\\] vs free")); 1088 EXPECT_DEATH(delete (Ident(new int[2])), 1089 MismatchStr("operator new \\[\\] vs operator delete")); 1090 EXPECT_DEATH(delete (Ident((int*)malloc(2 * sizeof(int)))), 1091 MismatchStr("malloc vs operator delete")); 1092 EXPECT_DEATH(delete [] (Ident(new int)), 1093 MismatchStr("operator new vs operator delete \\[\\]")); 1094 EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))), 1095 MismatchStr("malloc vs operator delete \\[\\]")); 1096} 1097#endif 1098 1099// ------------------ demo tests; run each one-by-one ------------- 1100// e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1101TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1102 ThreadedTestSpawn(); 1103} 1104 1105void *SimpleBugOnSTack(void *x = 0) { 1106 char a[20]; 1107 Ident(a)[20] = 0; 1108 return 0; 1109} 1110 1111TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1112 SimpleBugOnSTack(); 1113} 1114 1115TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1116 pthread_t t; 1117 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1118 PTHREAD_JOIN(t, 0); 1119} 1120 1121TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1122 uaf_test<U1>(10, 0); 1123} 1124TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1125 uaf_test<U1>(10, -2); 1126} 1127TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 1128 uaf_test<U1>(10, 10); 1129} 1130 1131TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 1132 uaf_test<U1>(kLargeMalloc, 0); 1133} 1134 1135TEST(AddressSanitizer, DISABLED_DemoOOM) { 1136 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 1137 printf("%p\n", malloc(size)); 1138} 1139 1140TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 1141 DoubleFree(); 1142} 1143 1144TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 1145 int *a = 0; 1146 Ident(a)[10] = 0; 1147} 1148 1149TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 1150 static char a[100]; 1151 static char b[100]; 1152 static char c[100]; 1153 Ident(a); 1154 Ident(b); 1155 Ident(c); 1156 Ident(a)[5] = 0; 1157 Ident(b)[105] = 0; 1158 Ident(a)[5] = 0; 1159} 1160 1161TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 1162 const size_t kAllocSize = (1 << 28) - 1024; 1163 size_t total_size = 0; 1164 while (true) { 1165 char *x = (char*)malloc(kAllocSize); 1166 memset(x, 0, kAllocSize); 1167 total_size += kAllocSize; 1168 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 1169 } 1170} 1171 1172// http://code.google.com/p/address-sanitizer/issues/detail?id=66 1173TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 1174 for (int i = 0; i < 1000000; i++) { 1175 delete [] (Ident(new char [8644])); 1176 } 1177 char *x = new char[8192]; 1178 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 1179 delete [] Ident(x); 1180} 1181 1182 1183// Test that instrumentation of stack allocations takes into account 1184// AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 1185// See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 1186TEST(AddressSanitizer, LongDoubleNegativeTest) { 1187 long double a, b; 1188 static long double c; 1189 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 1190 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 1191} 1192